The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [106]
mitnick message
Asking a coworker or subordinate to do a favor is a common practice. Social engineers know how to exploit people’s natural desire to help and be a team player. An attacker exploits this positive human trait to deceive unsuspecting employees into performing actions that advance him toward his goal. It’s important to understand this simple concept so you will be more likely to recognize when another person is trying to manipulate you.
Deceiving the Unwary
I’ve emphasized earlier the need to train employees thoroughly enough that they will never allow themselves to be talked into carrying out the instructions of a stranger. All employees also need to understand the danger of carrying out a request to take any action on another person’s computer. Company policy should prohibit this except when specifically approved by a manager. Allowable situations include:
• When the request is made by a person well known to you, with the request made either face-to-face, or over the telephone when you unmistakably recognize the voice of the caller.
• When you positively verify the identity of the requestor through approved procedures.
• When the action is authorized by a supervisor or other person in authority who is personally familiar with the requestor.
Employees must be trained not to assist people they do not personally know, even if the person making the request claims to be an executive. Once security policies concerning verification have been put in place, management must support employees in adhering to these policies, even when it means that an employee challenges a member of the executive staff who is asking the employee to circumvent a security policy.
Every company also needs to have policies and procedures that guide employees in responding to requests to take any action with computers or computer-related equipment. In the story about the publishing company, the social engineer targeted a new employee who had not been trained on information security policies and procedures. To prevent this type of attack, every existing and new employee must be told to follow a simple rule: Do not use any computer system to perform an action requested by a stranger. Period.
Remember that any employee who has physical or electronic access to a computer or an item of computer-related equipment is vulnerable to being manipulated into taking some malicious action on behalf of an attacker.
Employees, and especially IT personnel, need to understand that allowing an outsider to gain access to their computer networks is like giving your bank account number to a telemarketer or giving your telephone calling card number to a stranger in jail. Employees must give thoughtful attention to whether carrying out a request can lead to disclosure of sensitive information or the compromising of the corporate computer system.
IT people must also be on their guard against unknown callers posing as vendors. In general, a company should consider having specific people designated as the contacts for each technology vendor, with a policy in place that other employees will not respond to vendor requests for information about or changes to any telephone or computer equipment. That way, the designated people become familiar with the vendor personnel who call or visit, and are less likely to be deceived by an imposter. If a vendor calls even when the company does not have a support contract, that should also raise suspicions.
Everyone in the organization needs to be made aware of information security threats and vulnerabilities. Note that security guards and the like need to be given not just security training, but training in information security, as well. Because security guards frequently have physical access to the entire facility, they must be able to recognize the types of social engineering attacks that may be used against them.
Beware Spyware
Commercial